Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

How client-side security works

Cloudflare's client-side security helps manage client-side resources (which include scripts and their connections) loaded by your website visitors, and provides visibility on the cookies recently detected in HTTP traffic. Client-side security can trigger alert notifications when resources change or are considered malicious.

Enabling resource monitoring adds a Content Security Policy (CSP) deployed with a report-only directive to collect information from the browser. This allows Cloudflare to provide you with a list of all scripts running on your application and the connections they make to third-party endpoints. Cloudflare also monitors ingress and egress traffic for cookies, either set by origin servers or by the visitor's browser.

The client-side resource monitoring dashboard shows the list of active scripts, connections, and cookies. The All Reported Scripts and All Reported Connections dashboards show the full list of detected scripts and connections in your domain, respectively, including infrequent and inactive ones.

Cloudflare adds a CSP report-only HTTP header used to monitor webpage resources to a sample of sent responses. This means that there may be a small delay between deploying a script or cookie and having its data displayed in the resource monitoring dashboards.

Enterprise customers with a paid add-on have access to additional classification mechanisms based on threat feeds to determine if a script, or a connection made by a script, is malicious. For more information, refer to Malicious script and connection detection.

Positive security model using content security rules

Enterprise customers with a paid add-on can create content security rules to define a positive security model (also known as positive blocking) for resources such as scripts.

When you create content security rules, Cloudflare will generate content security policy (CSP) directives from those rules based on their configuration:

  • Log rules will create CSP directives for the Content-Security-Policy-Report-Only HTTP header.
  • Allow rules will create CSP directives for the Content-Security-Policy HTTP header.

For more information, refer to Content security rules.

Learn more

For more background on client-side security and resource monitoring, refer to our blog post.